A webpage on the State of Louisiana’s official site appears to be advertising “animal porn Porn Videos.” The online home of the Federal Judicial Center offers “free how to sex videos,” with a closed captioning feature. The Centers for Disease Control and Prevention’s SimpleReport, identified as an “official website of the United States government” in a banner at the top of the page, provides “Desi Girl Xxx Video sex Videos,” while the City of Bethlehem, Pennsylvania, points to “Sexy Beautiful European Porn.”
These are just a few examples of the wide range of U.S. government websites inadvertently directing visitors to hardcore porn content. Other examples can readily be discovered when searching for pornographic keywords like “xxx” and utilizing Google’s “site:” search operator to query only U.S. government domains.
In some cases, the content appears to violate the very laws of the governments whose sites they have taken over. Pages hosted on the State of Louisiana’s official government site that now redirect to porn, for instance, don’t require visitors to provide proof-of-age verification, as is required under Louisiana’s controversial age verification law. The Supreme Court is due this week to hear a case about the constitutionality of age verification laws.
Spammers have in the past exploited the redirection functionalities of government websites to steer traffic to pornographic content — meaning the government sites themselves never actually hosted malicious content. But this recent wave of porn spam appears to be using a more complex technique: uploading to government pages rogue content that transports website visitors to malicious sites.
The new attacks work by tricking the site into attempting to load a nonexistent image. Doing so invokes what’s called an onerror event in the HTML code, which instructs the web browser to pull up a third-party website if an image won’t load. This exploit transports users from the government page to a third-party site, which in turn redirects to yet another site hosting porn and soliciting signups with referral codes and affiliate links. If the user ultimately signs up for an account on one of these sites, the owner may receive a cash incentive.
In some instances, visitors end up on a page to purchase antivirus software from vendors such as McAfee. In response to questions from The Intercept about a specific ad redirected from a Bethlehem city government website, a McAfee spokesperson said the company would “be taking action to remove this ad.” McAfee did not respond to a question about how much the spammer had made through the affiliate program.
The rogue webpages in some cases appear to have been uploaded to the government websites that use older versions of the Kentico content management system, which previously allowed any user to upload files to the website.
Users on forums such as BlackHatWorld, which describes itself as “the global forum and marketplace for cutting edge digital marketing techniques and methods to help you make money in digital marketing today,” routinely advise each other to use the Kentico exploit to inject their content into websites.
Kentico disputed that such attacks point to a vulnerability in its systems, stating that its default settings allow any user to upload file and that it is up to its clients’ website administrators to restrict upload permissions. Kentico confirmed to The Intercept that “media libraries are not secured by default” and that the “default admin account has no password.”
The company pointed The Intercept to its official documentation. “By default, files in media libraries are NOT secured,” the documentation states. “It is up to the user’s discretion when using some feature to read the documentation. E.g. when creating a media library, secure it according given project’s needs and goals.”
None of the impacted government responded to requests for comment; all pages flagged by The Intercept were taken offline shortly after our outreach.
